Data Loss and Full Disk Encryption

There's been a great deal of concern about data loss over the past year or so. The Office of Management and Budget (OMB) came out with a directive in Memo 06-16 requiring Full Disk Encryption for all mobile devices. Now there's a new vulnerability identified that shows the key can be retrieved from volatile memory, so devices that go into hibernation are also vulnerable. Randy Nash discusses the patterns of data loss, security policy, full disk vs. folder encryption (human error), the OMB 06-16 memo, and the new vulnerabilities related to volatile memory.

Like this article? We recommend

Like this article? We recommend

When it comes to information security, unfortunately there is no "silver
bullet." Instead we use layered security controls, each one compensating
for a weakness in the other.

Security would be so much simpler if everyone were honest upright individuals
who would obey all the rules and never make mistakes. Then we’d be able to
handle most security issues with simple policies.

Sadly, that’s not the world we live in. We do start with policies to
establish a standard for expected behavior and to define the consequences for
breaking the rules. Policy is the foundation of all good security programs.

Next, we usually layer on various other controls, categorized as management
controls, operations controls, and technical controls. This is how the National
Institute of Standards and Technology (NIST) has broken down security controls
in SP 800-53a, Rev 2. This is a good guideline, establishing standards for
applying security in many situations.

This year alone there have been 49 publicly reported breaches as of the time
of this writing (3/12/2008). In 2007 there were 324 reported breaches, resulting
in the loss/exposure of an estimated 162,563,703 records.

This high volume of data breaches led the Office of Management and Budget
(OMB) to publish
Memorandum 06-16
entitled "Protection of Sensitive Agency Information."

The memo refers to various NIST guidance publications and then recommends the
following additional actions:

Encrypt all data on mobile computers/devices that carry agency data unless
the data is determined to be non-sensitive, in writing, by the Deputy Secretary
or an individual he/she may designate in writing.

Allow remote access only with two-factor authentication, where one of the
factors is provided by a device separate from the computer gaining access.

Log all computer-readable data extracts from databases holding sensitive
information and verify that each extract, including sensitive data, has been
erased within 90 days or its use is still required.

These requirements were quickly added to the Federal Information Security
Management Act (FISMA) reporting requirements for that period. In an effort to
demonstrate its awareness of the problems with such data loss, the OMB included
the following statement:

"We intend to work with the Inspectors General community to review these
items as well as the checklist to ensure we are properly safeguarding the
information the American taxpayer has entrusted to us."

While I have huge problems about the way this was handled (that’s
fodder for another article or two) the OMB was at least attempting to provide
relevant guidance.